Vendor Risk Management Insights

In a recent article in the ABA Journal, noted cybersecurity expert and RiskRecon Advisor, Yong-Gon Chon, shared his thoughts on what law firms can do to bolster their cybersecurity. In particular, Chon suggests learning from other industries. For example, law firms can look to financial institutions, which have long struggled with protecting data as required under the Gramm-Leach-Bliley Act, he said. Data protection is key.

RiskRecon CEO and Founder Kelly White talks to Data Breach Today about a new initiative by the Cyber Readiness Institute that aims to address vendor risk by promoting to smaller enterprises the cybersecurity best practices used by Fortune 500 companies.

Calculating cyber risk is a key element of any sound risk management strategy. While traditional risk management models have focused on financial, process, workplace and IT factors, for many organizations cyber risk is still a new component in their risk assessment practices. Yet issues such as accurately measuring exposure, understanding the correct level of security spend, and whether or not to buy cyber insurance (and how much to buy) depend on hard numbers. How do you tackle quantifying these concerns in practical business terms?

I’m joining the Board at RiskRecon because with my 20+ years of experience working in information security, I truly believe their offering solves the failing state that dominates this domain.

To put it bluntly, Einstein defined INSANITY as “doing the same thing over and over again and expecting different results.” Over my long tenure in information security, I have witnessed exactly that: INSANITY. From firewalls to next-gen firewalls to something better than next-gen firewalls; from anti-virus to endpoint protection to endpoint protection with machine learning to AI orchestrated through “frictionless security,” we are doing the same thing over and over again expecting a different result. In some sense things are different—they’re worse. According to the 2011 Verizon Data Breach Investigations Report (DBIR), the cumulative caseload from 2004-2010 spanned over 1,700 breaches. In the 2018 DBIR alone it was 2,200.

While security vulnerabilities are found in many technologies, their presence doesn’t necessarily equal risk. Borrowing the FAIR Institute’s definition, risk is the probable frequency and magnitude of loss. Knowing what security vulnerabilities are present in your infrastructure can help you understand the probable frequency, but it offers no indication of loss magnitude. Rather, solving risk requires two foundational data points: what security vulnerabilities your technology has, and the value of the assets in which those vulnerabilities exist. Without that context, a given vulnerability is the same as any other.

Reliably protecting systems and data over time requires the disciplined execution of a robust security program that spans an entire enterprise. As a former CISO and now advisor to third-party risk management teams, I’ve seen some vendors take the contrary position, arguing that customers need only be concerned with security of the systems that host their data.

The more questions you ask in your third party assessments, the higher the cost. But how much does an extra question really cost? And what is its value?

In late 2017, we at RiskRecon explored this issue as part of a detailed study in which we analyzed the third-party cyber risk management practices of thirty firms. Let’s walk through a few of the study data points that led us to the answer.

A public testimonial from a satisfied customer is marketing gold for most any business. Who isn’t proud to display the logos of respected brands on your customer list, or to publish case studies about the great work you did for them? When I was a CISO of a top-30 financial institution, vendors frequently offered us financial incentives for permission to leverage our brand. There’s also a human element – people like helping other people. In the digital age where a negative customer experience can spread like wildfire through social channels, positive testaments are more important than ever.

Be Prepared: The Media Might Drag you into a Vendor Data Breach Mess Even if Your Data Wasn’t Compromised

Kelly White | May 1, 2018

When your vendor gets breached, you might be dragged into the mess by media even if your data was not compromised. Consider the recent case of [24]7.ai data breach.

On April 4, 2018, online chat application vendor [24]7.ai publicly reported that they had “an incident potentially affecting the online customer payment information of a small number of our client companies…” Shortly afterwards, well-known corporations Delta, Sears, Kmart and Best Buy released statements acknowledging that their customer data was impacted by this breach.